package com.childenglish.config;

import org.springframework.boot.web.servlet.FilterRegistrationBean;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.web.filter.OncePerRequestFilter;

import javax.servlet.FilterChain;
import javax.servlet.ServletException;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

/**
 * 安全响应头配置
 * 配置HSTS、CSP、Cookie安全属性等
 */
@Configuration
public class SecurityHeadersConfig {

    /**
     * 安全响应头过滤器
     * 添加HSTS、CSP等安全响应头
     */
    @Bean
    public FilterRegistrationBean<SecurityHeadersFilter> securityHeadersFilter() {
        FilterRegistrationBean<SecurityHeadersFilter> registration = new FilterRegistrationBean<>();
        registration.setFilter(new SecurityHeadersFilter());
        registration.addUrlPatterns("/*");
        registration.setName("securityHeadersFilter");
        registration.setOrder(0); // 最先执行
        return registration;
    }

    /**
     * 安全响应头过滤器实现
     */
    public static class SecurityHeadersFilter extends OncePerRequestFilter {

        @Override
        protected void doFilterInternal(HttpServletRequest request, HttpServletResponse response, 
                                      FilterChain filterChain) throws ServletException, IOException {
            
            // HSTS (HTTP Strict Transport Security)
            // 仅在HTTPS连接时添加HSTS头
            if (request.isSecure() || "https".equalsIgnoreCase(request.getHeader("X-Forwarded-Proto"))) {
                response.setHeader("Strict-Transport-Security", 
                    "max-age=31536000; includeSubDomains; preload");
            }

            // CSP (Content Security Policy)
            response.setHeader("Content-Security-Policy",
                "default-src 'self'; " +
                "script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.jsdelivr.net; " +
                "style-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; " +
                "img-src 'self' data: https:; " +
                "font-src 'self' https://cdn.jsdelivr.net data:; " +
                "connect-src 'self' http://localhost:* ws://localhost:* wss://localhost:*; " +
                "frame-ancestors 'none'; " +
                "base-uri 'self'; " +
                "form-action 'self'");

            // X-Content-Type-Options
            response.setHeader("X-Content-Type-Options", "nosniff");

            // X-Frame-Options
            response.setHeader("X-Frame-Options", "DENY");

            // X-XSS-Protection (已废弃，但保留兼容性)
            response.setHeader("X-XSS-Protection", "1; mode=block");

            // Referrer-Policy
            response.setHeader("Referrer-Policy", "strict-origin-when-cross-origin");

            // Permissions-Policy
            response.setHeader("Permissions-Policy", 
                "geolocation=(), microphone=(), camera=()");

            filterChain.doFilter(request, response);
        }
    }
}

